Seriously? Your updating tools could be trojaned, the repository could have been hacked or the Python package itself might have a backdoor in it. If you are that concerned about somebody poisoning your downloads, you should install the packages yourself (doing the hash computation on pen and paper just to be sure, of course!). Put simply, I think you are luring yourself into a false sense of security if you think digital signatures are the ultimate answer to viruses.
–
ThomasJul 21 '12 at 11:29

1

@Thomas They can prevent a lot of potential damage when repositories are infected, though.
–
Thom WiggersJul 21 '12 at 12:02

Sure, digital signatures won't protect against a backdoor in the package. They would defend against DNS spoofing and hijacking though. And a way to put backdoors into packages is to hack developer machines, e.g. with a trojaned package ;)
–
eugJul 21 '12 at 13:17

2 Answers
2

All Python packages are not hosted on pypi.python.org, but easy_install will look the PyPi page for download links. Many common packages like PIL and lxml use their own distribution server (which in fact often causes issues for package consumers). Example: http://pypi.python.org/pypi/PIL/

pypi.python.org itself does not seem to offer HTTPS support of any kind.

If you wish to provide secure easy_install / pip environment I suggest you mirror required packages to a server where you maintain HTTPS yourself and then restrict downloads to this server using --allow-hosts option:

Hmmm.. as I feared the safeguards for python developer security are pretty pitiful. Thanks for that tip - imho it's a step forward for some - but I've just got one laptop, and the challenge is mirroring securely. Currently I'm thinking that the most secure way is to check out the projects VCS repository..
–
eugJul 26 '12 at 8:32

Where available, MD5 information should be added to download URLs by appending a fragment identifier of the form #md5=..., where ... is the 32-character hex MD5 digest. EasyInstall will verify that the downloaded file’s MD5 digest matches the given value.